Ascension Health Cyber Incident Part 2
For the latest from Ascension Health, please go here: https://about.ascension.org/en/cybersecurity-event
So not a lot of new or shocking information released on this one except for a high level cause, but we wanted to do a follow up from what we currently understand.
Apparently, an Ascension Healthcare worker downloaded a malicious file they thought to be legitimate. Then, and this is where the clarity falls apart a bit, several (we have seen 7 to 300) servers were infected with ransomware out of the potentially thousands of servers the hospital has on its network. Some estimates say Ascension has 25,000 servers. We would love for someone to verify that for us, but if that is true, then about .012% of the servers Ascension Health have were infected and brought down access to hundreds of thousands of employees and patients forcing the healthcare workers to go back to paper and pencil.
Here are some more recent articles after our original June 12th posting:
https://www.npr.org/2024/06/19/nx-s1-5010219/ascension-hospital-ransomware-attack-care-lapses
https://www.hipaajournal.com/ascension-cyberattack-2024/
Because we do not have and probably will not get more details on this cyber attack, we thought it would be helpful to explain ransomware and how this attack may have worked:
Understanding Ransomware
Ransomware is a type of malicious software designed to block access to a computer system or data until a ransom is paid. It often encrypts files, making them inaccessible to the user. Cybercriminals typically demand payment in cryptocurrency to unlock the affected files or systems. Ransomware can enter a network through various vectors, with malicious downloads being one of the most prevalent.
The Initial Infection: Downloading the Malicious File
The process typically begins with an unsuspecting user downloading a file that appears legitimate but is, in fact, infected with malware. This file can come from various sources, including:
Email Attachments: Phishing emails often contain attachments that, when opened, execute malicious code.
Compromised Websites: Users can download infected files from websites that have been compromised by hackers.
Social Engineering: Attackers may trick users into downloading files by masquerading as trusted contacts or institutions.
Execution and Installation
Once the infected file is downloaded and executed, the malware begins its operation. The malicious code installs itself on the victim's machine, often disguising itself as a legitimate application to avoid detection by antivirus software. The ransomware payload is then deployed, and the malware starts encrypting files on the infected device.
Propagation Across the Network
Ransomware is particularly dangerous because of its ability to spread rapidly across a network. Here's how it typically propagates:
Credential Harvesting:
The malware may capture user credentials, gaining access to other networked systems.
With administrative privileges, it can move laterally across the network.
Exploiting Network Vulnerabilities:
Ransomware often exploits known vulnerabilities in software and network protocols to spread.
Outdated systems or unpatched software provide an easy target for ransomware to propagate.
Network Shares and Drives:
Many businesses use shared network drives and folders. Ransomware can encrypt files on these shared resources, impacting multiple users simultaneously.
The malware scans for available network shares and infects them, spreading the encryption to all accessible files.
Remote Desktop Protocol (RDP):
Attackers may use compromised RDP connections to infiltrate other machines on the network.
Weak or reused passwords make RDP an easy target for spreading ransomware.
The Consequences of a Ransomware Attack
The impact of a ransomware attack can be devastating:
Data Loss: Encrypted files may become permanently inaccessible if the ransom is not paid or the decryption key is not obtained.
Operational Disruption: Businesses may experience significant downtime, leading to loss of productivity and revenue.
Financial Loss: Beyond the ransom itself, companies face costs related to incident response, recovery, and potential legal liabilities.
Reputational Damage: Trust in the organization can be severely damaged, affecting relationships with clients, partners, and stakeholders.
Mitigating the Risk of Ransomware
To protect against the threat of ransomware, organizations should implement the following strategies:
Employee Training:
Regularly train employees on the dangers of downloading files from unknown sources and recognizing phishing attempts.
Robust Antivirus and Anti-Malware Solutions:
Deploy advanced security software to detect and block malware before it can execute.
Regular Backups:
Maintain regular backups of critical data and ensure they are stored offline or in a secure, isolated environment.
Patch Management:
Keep all systems and software up to date with the latest security patches to close vulnerabilities.
Network Segmentation:
Segment networks to limit the spread of ransomware. Implement strict access controls to ensure that only authorized users can access sensitive areas of the network.
Incident Response Plan:
Develop and regularly update an incident response plan to quickly address and mitigate the impact of ransomware attacks.
Conclusion
Downloading an infected file can set off a chain reaction that results in a widespread ransomware infection, causing significant damage to an organization's network and operations. By understanding how ransomware propagates and implementing robust security measures, businesses can protect themselves from these malicious attacks and ensure the integrity and availability of their data.
Solvonex can help you build your networks in layers, mitigation ransomware infections, and assist in training your users on how to avoid malicious content. Contact us to find out more today!
